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WE CLAIM: 

1. A computer program product operable to control an e-mail client computer to 
5 detect e-mail propagated malware, said computer program product comprising: 

e-mail generating logic operable to generate an e-mail message; 

comparison logic operable to compare said e-mail message with at least one of 
an address book of a sender of said e-mail message and one or more previously 
generated e-mail messages from said client computer; and 
1,0 identifying logic operable to identify said e-mail message as potentially 

containing malware if at least one of: 

(i) said e-mail message is being sent to more than a threshold number of 
addressees specified within said address book; 

(ii) said e-mail message contains mess^e content having at least a threshold 
15 level of similarity to message content of said previously generated e-mail messages 

being sent to more than a threshold number of addressees specified within said 
address book; and 

(iii) said e-mail message contains message content having at least a threshold 
level of similarity to message content of more than a threshold number of said 

20 previously generated e-mail messages. 

2. A computer program product as claimed in claim 1, wherein said e-mail 
message specifies a plurality of addressees, said comparison logic being operable to 
compare said plurality of addressees with said e-mail address book to determine if 

25 said at least a threshold number of addressees has been exceeded. 

3. A computer program product as claimed in claim 1, wherein said at least a 
threshold number of addressees is specified as a proportion of addressees vdthin said 
address book. 

30 

4. A computer program product as claimed in claim 3, wherein said proportion of 
addressees within said address book is user specified. 
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5. A computer program product as claimed in claim I, comprising quarantine 
queue logic operable to hold said previously generated e-mail messages in a 
quarantine queue for at least a predetermined quarantine period prior to being sent 
from said client computer. 

5 

6. A computer program product as claimed in claim 5, wherein said quarantine 
period is user specified. 

7. A computer program product as claimed in claim 1, comprising confirmation 
10 input logic operable when said e-mail message is identified as potentially containing 

malware to generate a user message seeking a confirmation input from a user of said 
client computer before said e-mail message is sent. 

8. A computer program product as claimed in claim 1, comprising administrator 
15 warning logic operable when said e-mail message is identified as potentially 

containing malware to send an administrator warning message to an administrator of 
said client computer regarding said e-mail message. 

9. A method of detecting e-mail propagated malware within an e-mail client 
20 computer, said method comprising the steps of: 

generating an e-mail message; 

comparing said e-mail message with at least one of an address book of a 
sender of said e-mail message and one or more previously generated e-mail messages 
from said client computer; and 
25 identifying said e-mail message as potentially containing malware if at least 

one of: 

(i) said e-mail message is being sent to more than a threshold number of 
addressees specified within said address book; 

(ii) said e-mail message contains message content having at least a threshold 
30 level of similarity to message content of said previously generated e-mail messages 

being sent to more than a threshold nxraiber of addressees specified within said 
address book; and 
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(iii) said e-mail message contains message content having at least a threshold 
level of similarity to message content of more than a threshold number of said 
previously generated e-mail messages. 

10. A method as claimed in claim 9, wherein said e-mail message specifies a 
plurality of addressees, said plurality of addressees being compared with said e-mail 
address book to determine if said at least a threshold number of addressees has been 
exceeded. 

11. A method as claimed in claim 9, wherein said at least a threshold number of 
addressees is specified as a proportion of addressees withm said address book. 

12. A method as claimed in claim 11, wherein said proportion of addressees 
within said address book is user specified. 

13. A method as claimed in claim 9, wherein said previously generated e-mail 
messages are held in a quarantine queue for at least a predetermined quarantine period 
prior to being sent firom said client computer. 

14. A method as claimed in claim 13, wherein said qiiarantine period is user 
specified. 

15. A method as claimed in claim 9, wherein when said e-mail message is 
identified as potentially containing malware, then a user message is generated seeking 
a confirmation input fi-om a user of said client computer before said e-mail message is 
sent. 

16. A method as claimed in claun 9, wherein when said e-mail message is 
identified as potentially containing malware, then an administrator warning message 
is sent to an administrator of said client computer regarding said e-mail message. 

17. Apparatus for detecting e-mail propagated malware within a client computer, 
said apparatus comprising: 

an e-mail generator operable to generate an e-mail message; 



13 



P11582US 



a comparitor operable to compare said e-mail message with at least one of an 
address book of a sender of said e-mail message and one or more previously 
generated e-mail messages from said client computer; and 

a malware identifier operable to identify said e-mail message as potentially 
containing malware if at least one of: 

(i) said e-mail message is being sent to more than a threshold nxmiber of 
addressees specified within said address book; 

(ii) said e-mail message contains message content having at least a threshold 
level of similarity to message content of said previously generated e-mail messages 
being sent to more than a threshold number of addressees specified within said 
address book; and 

(iii) said e-mail message contains message content having at least a threshold 
level of similarity to message content of more than a threshold number of said 
previously generated e-mail messages. 

18. Apparatus as claimed in claim 17, wherein said e-mail message specifies a 
plurality of addressees, said comparitor being operable to compare said plurality of 
addressees with said e-mail address book to determine if said at least a threshold 
number of addressees has been exceeded. 



19. Apparatus as claimed in claim 1, wherein said at least a threshold number of 
addressees is specified as a proportion of addressees within said address book. 

20. Apparatus as claimed in claim 19, wherein said proportion of addressees 
within said address book is user specified. 

21. Apparatus as claimed in claim 17, comprising a quarantine queue operable to 
hold said previously generated e-mail messages in a quarantine queue for at least a 
predetermined quarantine period prior to being sent from said client computer. 

22. Apparatus as claimed in claim 21, wherein said quarantine period is user 
specified. 
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23. Apparatus as claimed in claim 17, comprising a confirmation input unit 
operable when said e-mail message is identified as potentially containing malware to 
generate a user message seeking a confirmation input from a user of said client 
computer before said e-mail message is sent. 

24. Apparatus as claimed in claim 17, comprising an administrator warning unit 
operable when said e-mail message is identified as potentially containing malware to 
send an administrator warning message to an administrator of said client computer 
regarding said e-mail message. 



